I have a diffrent example. Some one walks by a bank and sees the door open. Thinks some one must be working just in side the door. Next day he sees the door is still open. No big deal must be a busy bank. Third day door still open, he looks inside, and finds NO ONE THERE. Fourth Day he looks inside and sees not only is the door open but so is the vault. He calls up the bank... Has he commited a crime? How does that crime compair to the one the Bank is commiting with our money? Had he stayed away would it been his fault when a robber walked in and helped his self?

It kills me that you want to charge/jail the people who find the security flaws. Yet you dont raise up in arms about the clowns who fail to secure their sites in the first place. Or do but dont contiune to test and re-secure. Where is your outrage that software is shipped in its default configuration: DESIGNED with the security features set off; Designed to run harmfull code without checking.

Yes, the fellow in my example could steal from the bank. Yes, he may have stole from the bank. But if he had not have called. what you want to bet the bank is still wide open on the next day.


[ reply ]

Link to this comment: http://www.securityfocus.com/comments/columns/70/11493#11493